It seems like every other day there’s a “new” security scanner on the market that everyone is told they simply must have in order to ensure the security of their systems. Why do we have so many different types of scanners? Is there another way? Randy Nash shares his opinion.

Like this article? We recommend

So Many Tools...

As Internet-based technology evolves, more work than ever is being done on the Web. More types of services and information are being served up, and in more ways ever imagined by the original founders of the Internet. Years ago a website consisted primarily of some data served up via either static Web pages or some dynamic pages that would pull data from some sort of repository. You had HTML, some JavaScript, and maybe some Perl on the back end to make things easier. That world is long gone.

Today we have HTML, XHTML, JSP, ASP, PHP and tons more. There are databases, streaming multimedia, and more scripting languages than I have time and space to enumerate here. As all of this various technology has evolved, the need to test it all to ensure security has grown dramatically.

Unfortunately, because there are so many ways to serve up information, many methods of testing are also needed. We need patch management scanners to make sure everything is patched. We need vulnerability scanners to look for weaknesses in operating systems and the services they host. We need to test out databases to make sure information is stored in a secure manner. And we need to test the Web-based applications that provide this information, to guarantee that there's no way to get around all the other security. We need to make sure our systems follow a standard configuration—not just for security but also for compliance, as governed by the Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and other entities.

Fortunately, or perhaps not, an entire market has evolved to meet these needs. You can buy patch management solutions, vulnerability scanners, database scanners, application test suites, and compliance software, too. But how many scanners do we really need? Isn't there a better way?